Homebox
CVE-2026-26272
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, a stored cross-site scripting (XSS) vulnerability exists in the item attachment upload functionality. The application does not properly validate or restrict uploaded file types, allowing an authenticated user to upload malicious HTML or SVG files containing executable JavaScript (also, potentially other formats that render scripts). Uploaded attachments are accessible via direct links. When a user accesses such a file in their browser, the embedded JavaScript executes in the context of the application's origin. This vulnerability is fixed in 0.24.0-rc.1.
AnalysisAI
Stored XSS in Homebox prior to 0.24.0-rc.1 allows authenticated users to upload malicious HTML or SVG files containing executable JavaScript that runs in the application's security context when accessed by other users. An attacker with valid credentials can exploit improper file type validation in the attachment upload feature to execute arbitrary scripts against victims viewing the malicious files. The vulnerability has been patched in version 0.24.0-rc.1.
Technical ContextAI
Classified as CWE-79 (Cross-site Scripting (XSS)). Affects the item attachment upload component of Homebox. HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, a stored cross-site scripting (XSS) vulnerability exists in the item attachment upload functionality. The application does not properly validate or restrict uploaded file types, allowing an authenticated user to upload malicious HTML or SVG files containing executable JavaScript (also, potentially other formats that render scripts). Uploaded attachments are accessible via direct links. When a user accesses such a file in
RemediationAI
A vendor patch is available — apply it immediately. Fixed in version 0.24.0. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.
Broken access control in HomeBox prior to 0.25.0 allows authenticated users with revoked group access to continue perfor
Homebox prior to version 0.24.0 fails to validate the TrustProxy configuration setting, allowing attackers to bypass aut
Homebox prior to 0.24.0-rc.1 allows authenticated users to trigger HTTP POST requests to arbitrary destinations through
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today